you have the public key in the node process (in memory). And when you get a JWT, you verify the signature using that public key. If it checks out, and the JWT hasn't expired, and the anti-csrf verification is done, then your good to go!